A contractor working for the US Secret Service walked onto a Washington, DC Metro train carrying two tapes full of extremely sensitive data. He got off at his stop carrying neither.
A few years later, the US Secret Service is under investigation for what’s being described as the “immense breach”.
The tapes contained personal information about all agency employees, contacts and overseas informants, according to Fox News, which interviewed multiple law enforcement and congressional sources for the story.
The extremely sensitive personal data included Social Security Numbers, home addresses, information about family members, phone numbers, dates of birth, medical information, bank account numbers, employment information, driver’s license numbers, passport numbers, and biometric information – all of which were secured only with “very basic encryption”, according to Fox News who quoted a Secret Service source with knowledge of the incident:
"It was very basic encryption. Let's just say it wouldn't take a genius to crack it."
This contradicts the Secret Service’s account.
Secret Service spokesman Ed Donovan told Fox News that the data was secured by “multiple layers of security”:
"In February of 2008, a contract employee whose function was to maintain, secure and transport this type of information lost two 'back-up' tapes on the DC Metro while transporting them to an off-site facility. These back-up tapes were not marked or identified in any way and were protected by multiple layers of security. They could not be accessed without the proper equipment, applications and encoding."
The Department of Homeland Security Office of Inspector General (DHS-OIG) is investigating the incident.
It’s only one of 13 ongoing investigations into the Secret Service, dubbed “Culture of Secret Service” and launched at the behest of the Senate Homeland Committee following the Cartagena, Colombia prostitution scandal in April.
The DHS-OIG report on the agency’s culture is expected in the spring.
The tapes were lost on the Red Line of the Metro in 2008 by a reportedly young, low-ranking employee of a private contracting company hired to transport them from headquarters to a secure vault in Olney, Md., where, Fox says, government agencies store contingency plans, documents and other backup material.
The employee volunteered to drop off the tapes because he lived near the vault, but he got off at the Glenmont, Md., Metro stop without the tapes.
Sources told Fox News that Secret Service failed to follow strict DHS protocols for reporting and responding to privacy incidents involving personally identifying information (PII).
Secret Service officials contacted Metro Transit Police and asked them to keep an eye out for the tapes but filed no police report. Neither did they inform law enforcement or affected staff of the severity of the breach, the sources said – basically, they just whitewashed the incident.
One source told Fox that it’s typical for the agency:
"They just covered it up so they wouldn't get in trouble, so they wouldn't be scrutinized for such a huge breach of security... That's why OIG opened up a case on this matter—and the other ones they've opened up are similar in that they show efforts on the part of Secret Service leadership to whitewash security breaches."
At the time of the prostitution scandal, President Obama praised the Secret Service overall, saying that the conduct of “a couple of knuckleheads” shouldn’t detract from the agency’s good work.
The prospect of losing a backup tape (or two) isn’t going away as long as humans are frail, error-prone humans.
Does it reflect a more pervasively weak approach to security?
Let’s withhold judgment until the report comes out.
But if the report confirms the allegations of weak encryption on the tapes, failing to follow DHS protocol in properly reporting breaches, and failing to inform the many staff members whose PII was lost, then for shame, Secret Service, for shame.
Washington DC metro train image from Shutterstock.